Disinformation and Cyber-Threats: Vulnerability and Resilience in the 2019 EU Elections

Disinformation and Cyber-Threats: Vulnerability and Resilience in the 2019 EU Elections

April 3, 2019

In May 2019, over 350 million European citizens will express their vote for the constituency of the new European Parliament in a moment of significant challenges for the European Union (EU). As these may be the most important elections ever faced by the EU, policy-makers should pay particular attention to disinformation campaigns and cyber-threats to guarantee fair and free elections.

In May 2019, over 350 million European citizens across 28 (27, if the United Kingdom exits the EU) countries will elect their representatives for the European Parliament. These elections come at a time of considerable challenges for European institutions. Brexit, immigration, populism, and economic unrest are already threatening the stability of the EU, risking to jeopardise years of cooperation among European member states. Therefore, these elections are of the utmost importance, they will shape the future policies and trajectories of one of the largest democratic bodies in the world.

In the digital era, elections have increasingly become one of the primary targets of cyber-attacks[i]. The EU elections in May will likely expose several vulnerabilities to malicious state and non-state actors who would benefit from a fragmented Europe. Some of these vulnerabilities are inherently a product of the latest technological developments, whereas others are due to specific circumstances of the European case, where the organisation of elections remains a national prerogative. Considering the political magnitude of May’s elections, EU governments must acknowledge the threat posed by potential hacks and respond with a comprehensive strategy.

Hacking election infrastructures or manipulating the voting behaviours of citizens constitute the main cyber-areas of vulnerability for democratic elections. Failing to address these issues could have dramatic implications for the future of the Union. When it comes to the hacking of voting technologies, threats are mainly connected to voter registration, vote counting, and communication of the vote outcome[ii]. This constitutes a critical issue as many European states partially (i.e. France, Hungary, Italy and more) or entirely (Estonia) rely on technology to coordinate their elections[iii]. This approach naturally exposes the entire voting process to cyber-attacks against election infrastructures such as voting machines, databases, and member states’ election websites. Given the cross-border nature of these elections, hackers have the opportunity to exploit and attack each country’s vulnerabilities and create security breaches for their own malevolent purposes.

The second area subject to cyber-meddling is the manipulation of the voting behaviour of European citizens. Nowadays, hackers have powerful tools to influence preferences at the ballot-box. First, trolls and computer bots are widely used to spread rumours and fake news on social media in order to divide and sway public opinion. For example, these tactics have been deployed extensively in Italy to foster anti-immigration and anti-Non-Governmental Organisation sentiments across the population[iv]. Secondly, hackers may exploit security breaches in politicians’ e-mails and databases in order to steal sensitive information to release during delicate moments of the elections. Such efforts have already been observed in Europe, notably with the Macron Leaks– the release of more than 20,000 private emails just two days before the French presidential elections[v]. Third, hackers may undermine free and transparent democratic elections using targeted social media posts and advertisements based on the data-mining of internet users’ preferences. In this regard, the most notable case is the Cambridge Analytica scandal, which involved exposing the data of up to 87 million Facebook profiles for political purposes, shedding light on the (mis)use of social media data in political environments[vi]. Finally, the latest developments in Artificial Intelligence and digital technology are paving innovative paths that may be dangerously exploited by hackers for political purposes. The coming years will likely see a widespread use of “deep fakes” – digital manipulations of audio or video resources almost indistinguishable from real ones – that will further challenge the resilience of democracies all over the world[vii]. While it is unlikely that deep fakes will be used for the upcoming elections, European governments should be aware of the direction in which the disinformation war is heading to prepare for the variety of future threats.

While there are several measures that might reduce the aforementioned threats, there is no infallible way to eradicate cyber-threats and information operations[viii]. Therefore, the EU should increase the efforts stated in the 2013 Cyber Security Strategy concerning high-level deterrence and resilience cyber-strategies[ix] to ensure transparent and fair elections in May, which undoubtedly requires a close co-operation among EU governments. The implementation of a permanent mandate for the European Union Agency for Network and Information Security (ENISA)[x] represents a considerable improvement in the common fight against cyber-attacks. Moreover, member states will need to implement a mix of short- and long-term policies to combat the most delicate aspects of these phenomena.

In the short-term, European governments should focus their attention on technological and normative fields, setting up firm codes of conduct for tech companies, as well as coercive measures for all actors involved in disinformation campaigns. Although it failed to live up to its expectations[xi], the ‘Code of Practice’ signed in September 2018 by the European Commission with Google, Facebook, and Twitter to address the spread of disinformation and fake news represented a strong step forward for the development of joint measures to tackle these issues[xii].

In the long-term, European member states will have to direct their efforts towards development in the IT, social, and cultural fields. In fact, if these issues cannot be solved entirely by technological advancements, it means that European citizens will have to learn to operate in an environment characterized by the presence of fake-news. States should, therefore, invest massively in media literacy to assure a wide development of critical and analytical skills among their citizens, reducing, in turn, the impact of disinformation efforts. Additionally, EU governments will have to further cooperate to create a pan-European normative framework that will apply strict regulations against malignant actors in this digital arms race.

A joint European approach to these threats and a common perspective on election security are necessary to ensure the legitimacy of these elections. As previously mentioned, it will be crucial for the future of the EU and its member governments to do everything in their power to ensure a fair, free, and transparent vote during the upcoming elections. Involving technology in the electoral process should not compromise any of these fundamental requirements. Moreover, since the organization of elections is a national responsibility, varying greatly among member states, there is a significant risk that malicious actors will try to exploit vulnerabilities and consequent security breaches in the electoral process, as some countries are more prepared than others to face these threats[xiv]. Ultimately, EU governments must recognise that the future stability of the EU will depend significantly on the outcome of these elections and will require the utmost attention to guarantee that the founding values of the European institutions – freedom of speech and pluralism within the media – are upheld. Guaranteeing these principles while combatting external meddling constitutes the best weapons available to the EU in the current disinformation war.